Hello, I have got some problems to obtain a validation to go live in Production with an image because Twistlock report a critical alerte (CVSS 7,5) CVE-2024-47554 in Apache Cayenne. https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1<https://stackoverflow.com/> https://nvd.nist.gov/vuln/detail/CVE-2024-47554<https://stackoverflow.com/>
Actually, Apache Cayenne 4.2.2 use velocity-engine-core 2.3, which references an affected version of commons.io library (2.8.0). Is it planned to fix this CVE by including the version 2.4 or 2.4.1 of the velocity-engine-core library in the next release of Apache Cayenne? If not, how can we push this demand? Is it possible to add an evolution for the inclusion of velocity-engine-core 2.4 or 2.4.1 in the next release of Apache Cayenne so as not to have the CVE-2024-47554 vulnerability Best regards, Denis LAMARCHE ------------------------------------------------------------------------------ L’intégrité de ce message n’étant pas assurée sur Internet, BPCE-IT ne peut être tenu responsable de son contenu. Si vous n’êtes pas destinataire de ce message, merci de le détruire et d’avertir l’expéditeur. The integrity of this message cannot be guaranteed on the Internet. BPCE-IT cannot therefore be considered responsible for the contents. If you are not the intended recipient of this message, then please delete it and notify the sender. ------------------------------------------------------------------------------
